Infact, it’s a product: risk = vulnerability X threat X assets If you are extremely vulnerable you have lots of holes in your ware or an extreme threat exists such as when a government a
Trang 1Read access, however, is often very practical, if you are able to erly interpret the file format So although you might have a great deal ofdifficulty trying to write a new password to a database file by modifyingthe underlying file directly, reading a copy (if you have that level of filesystem access) could definitely be useful.
prop-Increasingly, a lot of the interesting stuff at a site lives in a database.This is especially true for e-commerce sites Also, one extremely commonprogramming mistake developers make when developing a Web site is toimproperly escape or filter user-supplied data, giving an attacker a way tosend SQL commands to a database Often, an attacker can get a remoteshell by feeding the right set of commands to a SQL server
Elevation of Privileges Attacks
Ultimately, what any attacker usually wants is higher privileges on thevictim machine If an attacker can gain root on a standard UNIX box,then they can accomplish anything on that box that they want to Moresubtle attacks exist, or some that accomplish just the goal of the attacker,but if root can be obtained in an earlier step, then all the other securitymechanisms on that machine are essentially turned off
An elevation of privilege attack is an attack against the integrity of the
security structure, though it often leads directly to other compromises If
an attacker can gain further capabilities beyond what they were supposed
to have, then a security mechanism somewhere has been broken Such amechanism may be broken due to a bad design, a bug, or just becausethe administrator implemented the mechanism improperly
The file access and special file access attacks fall under the category ofelevation of privilege as well If an attacker finds a combination of charac-ters that allows him to roam the server’s hard drive at will, then clearly he’sgone from the intended restriction (remaining within the capabilities ofthe CGI script’s designer) to having a higher level of access
Some attacks are purely elevation of privileges, though A classicexample is a setuid root UNIX binary with a buffer overflow Anattacker is able to divert the program flow and launch a copy of the shell
as the root user At that point, nothing else has taken place except thatthe attacker is now the equivalent of root and can continue from there
Trang 2Another example of a privilege escalation is any service with a holethat yields a remote shell.This kind of hole allows an attacker to gofrom a position of being able to perform only the functions that the ser-vices provide (which is what the administrator wanted) to being able torun arbitrary commands and poke around the file system She may bedoing so as a user with no special privileges, but it’s much easier for anattacker to gain root access after they have a shell.
Performing a Risk Analysis on Your Site
Risk is a quantity It’s a percentage, a probability, a number between 0and 1.The percentage that represents the likelihood that you’ll be com-promised is a function of three things: vulnerability, threat, and assets Infact, it’s a product:
risk = vulnerability X threat X assets
If you are extremely vulnerable (you have lots of holes in your ware) or an extreme threat exists (such as when a government agencyhas declared information warfare on your site) then your risk approaches
soft-1 or soft-100 percent risk, meaning that you will get nailed If your assets are
0, your risk drops to 0 as well, which means you have no business—plus,
if your assets are 0, you don’t have a site to begin with
Even if your assets are low (you run a Web site with a picture of yourdog), if you are very vulnerable, then you are still at high risk A wormthat automatically exploits common security holes doesn’t know or carethat your Web site is just a picture of your dog, it breaks in anyway
You may have a situation where vulnerability is relatively low (you
have all the known holes patched away, and you’ve used good judgmentwhen picking products) but may be faced with a dangerous attacker
One example of such an attacker is someone who is capable of findingnew holes in software and writing exploits for them, and he isn’t wor-ried about being caught He might not be worried because he justdoesn’t think they will be caught, or perhaps it’s not even illegal to break
Trang 3into computers where they live If an attacker of this sort targets yoursite, risk becomes high.
You’ll never be able to assign an accurate percentage to your risk.You have vulnerabilities you don’t know about.You have attackers youdon’t know about or have limited information about Many companiesdon’t have a good handle on their assets Even if your company canassign exact values to your assets, you’ll never get an exact figure for vul-nerabilities or threats
But all is not lost.You can make a best estimate of vulnerabilities andthreats, and along with information about your assets, you can make ajudgment about your risk As new information becomes available, youadjust your risk value For example, if a new remote root vulnerability isannounced in a software package you run, until the time you can getthe patch in place, your risk is high
Let’s take a look at some possible ways to measure each of these factors
Determining Your Assets
Your company or project has assets, things that have value to you—theyeither have value to you because they are present, or because you would
be damaged in some way if they were lost or disclosed (an asset eithermakes you money, or you lose money if you lose the asset) As you’ll see,
an asset need not be money, literally
Here are some examples of assets:
■ Money and financial information
Trang 4Someone within the company ought to be concerned with all ofthese assets Most information security professionals are only concernedwith a subset of these From the above list, this may include financialinformation, customer information, products (if your company sellsthings on the Web), intellectual property, and reputation.
Did you know that you kept your reputation on the Web server? Ifyou’re an e-tailer, and you suffer a Web defacement or credit carddatabase theft, then your attacker just removed your customer confi-dence from your Web server
Your job within the security team is to try to reduce the number ofexposed assets as much as possible—weighed against business needs, ofcourse Ideally, you won’t have a reason to have any of your privatefinancial information out on your demilitarized zone (DMZ) However,some companies have a need to share that sort of thing with partners via
a private section of their Web site
One type of information that nearly all e-commerce Web sites mustmaintain is customer information, things such as names, addresses, orderhistory, and credit card numbers.The credit card number data is one ofthe more worrisome pieces.We’ve all heard horror stories about hun-dreds of thousands of credit card numbers being stolen from e-com-merce databases Perhaps you’ve even had to get a new card orexperienced some fraud due to such an intrusion
If you have some sort of for-pay downloadable product on your Website, you will want to protect that as much as possible.You may havesome intellectual property on your Web servers Perhaps you have somecode to issue license keys that is proprietary Perhaps your business logic
in embedded in your database
The rule of thumb for minimizing assets is this: Don’t have anythingexposed that doesn’t absolutely need to be It’s obvious but often over-looked Chapter 5 discusses secure site design, and Chapter 6 has infor-mation on ways to deal with credit card information Refer to thesechapters for more help in these areas
Trang 5Why Attackers Might Threaten Your Site and How to Find Them
We know an attacker is one type of threat; others include power ages, loss of connectivity, or anything that will impede your ability to dobusiness securely Chapter 9 discusses availability issues, so in this chapter
out-we focus on attackers
Two main types of threats you might receive are an attack of nience and a targeted attack An attack of convenience occurs when theattacker has some new exploit that they want to try on every machine
conve-in the world, which conve-includes yours So, although they are scannconve-ing thewhole Internet looking for vulnerable machines, they scan yours on theway through.The vast majority of the time, these types of scans are forolder, known holes If you keep any kind of minimal vigilance aboutyour patches, you should be pretty safe from this type of attack
A targeted attack is one aimed specifically at you Usually, such anattacker will take a little time to research your site before blindly firingattacks at you
An attacker that is specifically targeting you is more dangerous.They will be more persistent, they will generally be more intelligentabout which attacks they try, and they may even spend the time to dosome original research about problems with the software you use to run your site
Your job is to watch for these attackers and to determine what kindsyou have coming after you, which is not an easy task.You have very lim-ited information, and you’re trying to determine the intentions of anattacker who may be thousands of miles away, whom you’ve never met
As hopeless as it sounds, you still have a little bit of information to go on
An attack of convenience is usually looking for a limited set of nerabilities.Worms are a good example of this At the time of thiswriting, the Ramen worm is making the rounds.The Ramen wormscans hosts for ports 111 (portmapper), 21 (ftp), and 515 (lpd/lprng) Ithas rpc.statd and wuftpd exploits that work on Red Hat 6.2, and a lprngexploit that works on Red Hat 7.0.You might have slightly different
Trang 6vul-versions of the same software, and it may even have the same ities, however the automated exploit won’t necessarily work as offsetsmay be different in your situation.
vulnerabil-An attacker (or a worm) with an exploit of this type will try it out
on you, and if it doesn’t work, she’ll typically just move along to the
next IP address She isn’t interested in you per se, just any machine that
will fall for this exact exploit—or perhaps 100 machines
An attacker targeting you would likely try some variations on thesame theme, trying to break into your server He may make adjustments
to the exploit, or just move on, having already determined that it doesn’tapply to you
An attacker targeting your site will also usually do some sance, usually involving port scanning, OS fingerprinting, and perhapssome simple exploit attempts in order to gauge your level of defense andperhaps grabbing some file samples
reconnais-By carefully watching firewall and IDS logs—you will begin tounderstand the difference between someone who has tried their trickand moved on and someone who is sticking around for a little while
You may manage to spot an attacker that looks like he is taking somecare to stay below the radar, perhaps by doing a slow scan Hopefully, theattacker will come from a consistent set of IP addresses, but that may notalways be the case Many times, however, you will often have multipleattackers at a time, which complicates matters further
As a general rule of thumb, you will need to stay informed about thecommonly scanned ports for new exploits.You can learn this type ofinformation by reading the Bugtraq and Incidents mailing lists, amongothers After you’ve developed a list of things you commonly getscanned for—the noise, essentially—you can focus on the other attacksyou receive
Trang 7Gauge Your Threat Level with a Honeypot
A honeypot (in an information security context) is a system that is designed to be broken into Setting up a honeypot will give you an opportunity to study tactics of attackers and possibly pick up a new attack or two along the way Naturally, the attacker shouldn’t
be aware that he has broken into a honeypot, and he should think that he’s gotten into an ordinary machine with no special moni- toring In fact, a honeypot machine typically has extensive moni- toring in place around it, either on the machine itself or via the network In order for the honeypot to be effective, as much infor- mation as possible must be collected about the attacker.
It’s also important that the honeypot machine not be able to act as a client on the Internet in general You don’t want to have to explain your honeypot project to law enforcement when they show
up wanting to know why your machine was breaking into other people’s machines To avoid this, honeypots are usually placed behind an inverse firewall of sorts; connections get in, but they don’t get out This may tip off an attacker somewhat, but it’s better than the alternative It’s also part of your signaling mechanism that something interesting has happened on your honeypot When your honeypot machine, which normally does nothing on the network, suddenly starts trying to get out to the Internet, then chances are good that someone got in Even if the attacker figures out that he’s been duped, you have already collected some information.
Note that some people decide that a particular machine is a
honeypot after it’s already been broken into, that is, after they
detected the intrusion on their regular machine, they decided to keep the attacker around to keep an eye on him I don’t recom- mend this, as it’s never much fun trying to track an attacker without being prepared ahead of time, but it’s an option For some entertaining examples of people who have decided to take
Tools & Traps…
Continued
Trang 8Testing Your Own Site for Vulnerabilities
After you’ve made your best effort to determine what your assets areand have tried to determine what your current threat level is, it’s time toactively audit and assess your vulnerabilities
Before we get to the technical items, let’s discuss a bit some of thefactors that affect your decisions on exactly how to perform your vul-nerability audit (also called a penetration test).The most obvious factor isbudget Can you hire people for this purpose? Can you train people you
this route, take a look at the book “Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage” by Clifford Stoll (Pocket Books), and “An Evening with Berferd” by Bill Cheswick, Steve Bellovin, Diana D’Angelo, and Paul Glick at www.all.net/
books/berferd/berferd.html.
Honeypots can be a part of your mechanism for determining your threat level Some folks are of the opinion that trapping an attacker to study his techniques will give you some advance notice.
It’s true that an attacker that is targeting your site will often spend some time on the first machine he can break into (your honeypot should be the easiest machine to penetrate on your network.) My opinion is that little has been formalized in terms of using honey- pots in order to gauge attackers However, little in the world of trying to determine your threat level has been formalized, so it may very well be a valid technique One has to have some famil- iarity with forensic techniques, log analysis, and protocol analysis
to make a honeypot useful, but help is available in those areas if you’re a beginner.
Honeypots serve other useful functions besides determining threat levels A community of people running honeypots can often provide each other with information about new exploits and worms.
For one of the best examples of a community of honeypot tors, check out the Honeynet project (http://project.honeynet.org/).
Trang 9opera-have? Can you afford the time, the tools, and equipment? As with most
IT functions, you can trade man-hours for capital (or vice versa) whentesting for vulnerabilities
Another factor that affects cost is how often you conduct your audit
A penetration test isn’t something you can have done just once.Thingschange over time, whether the state-of-the-art tools in security and pen-etration have changed, or whether new systems have been added to yoursite, upgrades to software or configuration changes have been made.Even an experienced security administrator will make mistakes, perhapsforgetting to turn off a change intended to be only temporary
For all of these reasons, you need to recheck your level of bility every so often How often you do is again probably a matter ofresources, though checking too often may be disruptive depending onwhat type of IDS setup you have If you have the luxury of dedicatedstaff to do the security assessment, you might check as often as once amonth Limited resources may dictate that you only do a full test onceper year, though the idea of going a year without some level of securityconfidence is a bit frightening
vulnera-A good change control process can help with minimizing the risks
in between full scans Each time some change is made, make a best effort
to determine exactly what will be affected and recheck just those thingsthat are affected.This is harder than it sounds, because it requires a fairamount of discipline on the part of the people making changes to accu-rately record and assess any changes they make and to report the changes
to the people who will need to recheck Some host-based IDS systemswill help enforce this, because they will catch some of the changes, butthey will never be as effective as accurate records from the people actu-ally making the changes in the first place.You can think of these asincremental penetration tests, similar to doing incremental backups inbetween full backups
Determining the Test Technique
You might briefly consider what type of attacker you want to play againstyour own site, whether opportunistic or targeted.You could take all theexploit code you can download, compile it up, and throw it at your site As
Trang 10discussed before, though, not all exploits will work as-is.This could easilyresult in false negatives, reporting that a service isn’t vulnerable when it is.
Of course, any tool or testing method could potentially result in false atives, but blindly running exploits will result in a much higher false nega-tive rate Frankly, the vast majority of attacks of convenience attempt totake advantage of well-known holes, for which patches have been availablefor some time If you’re getting caught by attacks of convenience, then youneed to take a hard look at your procedures for tracking new vulnerabili-ties and applying vendor patches
neg-In almost every case, you should be performing the most intelligentattack possible.You should take advantage of your special knowledge
of your site setup, short of actual secrets such as password and cryptokeys.The types of knowledge you should take advantage of include the following:
■ Trust relationships
■ IP addresses on all network segments
■ Brands and versions of all your software
■ The type of network gear you use
■ Source code for all the software if available (especially custom software)
The reason that all of this leverage should be used is that you have toassume that an outside attacker will eventually be able to determine orinfer the same information In most cases, tools are available to probe forthis sort of thing.The free program nmap, for example, will allow anattacker to pretty effectively determine OS versions (welook at how touse nmap in the next section)
The attitude behind the assumption that an attacker can determinethe above types of knowledge is embodied in the phrase “securitythrough obscurity doesn’t work.” Ultimately, all security relies on somesort of “obscurity.” However, you want your security to be reliant on
something really obscure, such as a good password or a 128-bit crypto
key—not the fact that you’re running a Web server on port 81 (whichwill be determined rather quickly.)
Trang 11So, it makes sense to give your invited attackers, whomever they may
be, as much information is as useful to them.Yet again, there is aresource issue, so you may not be able to get as far as a full source codereview, but plan on making the source available in case it becomesuseful It’s always possible that your penetration team may determinequickly that things appear to be locked down pretty tightly, and thatthey will be focusing on individual application holes or perhaps CGIscript holes If that situation arises, then having the source for as many ofthose applications as possible will accelerate that process
Your administrators and developer would have ideally been forming these checks all along, but they have a different goal.They gen-erally are trying to get things to function, not be secure.They also maynot have the same level of security expertise as your penetration testteam For all these reasons, having a separate security audit makes sense.Let’s discuss the issue of stealth for a moment In real life, an attackermay try to use some stealth techniques to evade detection.This mayinclude doing certain types of stealth portscans (these are of limited use,because just about any network IDS will pick these up Some host-basedmeasures such as TCP wrappers may not.) Other techniques are slowscans (doing a port scan slowly over time so as not to set off an IDSthreshold and make the red port-scan light go off), packet fragmenting(effective against a number of IDS systems), and various types of misin-formation attacks
per-The question is, does having stealth techniques used against your siteduring a penetration test have any value? The answer is, of course, itdepends—if you want to test strictly for vulnerabilities, then no, trying
to be stealthy probably doesn’t have a lot of value (Note that somestealth techniques such as packet fragmenting may also function as a way
to bypass security measures Use appropriate judgment in what to leaveout.) However, if you want to test your IDS systems, and possibly yourresponse procedures, then using stealth techniques may have some value.It’s not unheard of for someone in another part of an organization tospring a surprise penetration test on a particular set of systems to deter-mine in part whether it’s detected and how it’s reacted to If you need toalso test your mechanisms for determining current threat level, then go
Trang 12ahead and do this After (or if) your defense team has made the nation that an attacker is out there, go ahead and share the informationabout the penetration test taking place and turn off the stealth tech-niques to avoid spending unnecessary cycles.
determi-Researching Your Vulnerabilities
Your first step is to do some research.This is a big step, and when done properly, may yield all the information needed to complete abreak-in.The types of information that are most important to you arethe following:
having all of this information allows you to often just look up the nation of software you’ve found and download an existing exploit It mayrequire customization, but it’s a quicker route than writing from scratch
combi-(Note that the bullet list above, and indeed most of this book, is veryInternet-oriented—that is, we say “IP address,” and give examples forTCP/IP—however, the concepts apply to any type of networking or OS.)One of the best tools for gathering a couple of these items of infor-mation is nmap, a free tool created by Fyodor (You can find it at
www.insecure.org/nmap.) It has two main features of interest to us: It’s agreat port scanner, with just about all the port scanner options you’dwant, and it has an OS fingerprinting feature Nmap takes note of thesubtle differences contained within the packets that it gets back whenscanning a host and consults a database of OS types for matches
Trang 13Probably the easiest way to illustrate this is to show an example (anexplanation of the options follows the code example):
[root@ns1 rc3.d]# nmap -vv -sU -sT -O -P0 -e eth0 66.38.151.2
Starting nmap V 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Initiating TCP connect() scan against ns2.securityfocus.com (66.38.151.2)
Adding TCP port 22 (state open).
The TCP connect scan took 855 seconds to scan 1541 ports.
Initiating FIN,NULL, UDP, or Xmas stealth scan against ns2.securityfocus.com (66.38.151.2)
Too many drops increasing senddelay to 50000 Too many drops increasing senddelay to 100000 Too many drops increasing senddelay to 200000 Too many drops increasing senddelay to 400000 Too many drops increasing senddelay to 800000 adjust_timeout: packet supposedly had rtt of 8100232 microseconds Ignoring time.
adjust_timeout: packet supposedly had rtt of 8100259 microseconds Ignoring time.
The UDP or stealth FIN/NULL/XMAS scan took 2501 seconds to scan
1541 ports.
For OSScan assuming that port 22 is open and port 53 is closed and neither are firewalled
Interesting ports on ns2.securityfocus.com (66.38.151.2):
(The 3078 ports scanned but not shown below are in state: filtered) Port State Service
22/tcp open ssh 53/tcp closed domain 53/udp open domain
Trang 14113/tcp closed auth
TCP Sequence Prediction: Class=random positive increments
Difficulty=42998 (Worthy challenge)
Sequence numbers: 76B1034E 76B8D898 76BEE1B2 76C50F02 76CC2ED6 76D2E0FF
Remote operating system guess: Sun Solaris 8 early acces beta through actual release
OS Fingerprint:
TSeq(Class=RI%gcd=1%SI=A7F6) T1(Resp=Y%DF=Y%W=60DA%ACK=S++%Flags=AS%Ops=NNTNWM) T2(Resp=N)
T3(Resp=N) T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=) T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=) T7(Resp=Y%DF=Y%W=0%ACK=S%Flags=AR%Ops=) PU(Resp=N)
Nmap run completed — 1 IP address (1 host up) scanned in 3411 seconds
Without trying to repeat all of the instructions for nmap, let’s go
over the options we used in this case briefly.The -vv is for extra
ver-bose, which shows some of the steps that nmap performs while working;
-sU tells it to do a UDP scan; -sT tells it to do a full connect TCP scan;
-O tells it to do OS fingerprinting; -P0 tells it not to ping to check for whether the host is up; -e eth 0 tells it which interface to use to scan;
followed finally by the target IP address.The full list of options can be
found in the man page or simply run nmap with no arguments, and it
will produce a short list of what the options are
Trang 15You can see that this scan took some time to complete (it was doneacross the Internet) It has determined that the OS is “Sun Solaris 8 earlyacces beta through actual release”; it is in fact Solaris x86 version 8release Nmap is unable to determine which processor architecture it’slooking at in this case, so you’d have to use another method to deter-mine that.That information is often critical if you’re trying a bufferoverflow It also reports on the TCP sequence predictability, which isimportant to know if you’re going to try TCP spoofing.
Assume for the moment that the port list nmap returned is accurate.(This is not always a safe assumption, because port scanners aren’t alwaysperfect, and other circumstances may affect your scan, such as droppedpackets.) In this case, the machine in question doesn’t seem to be run-ning much, or some firewalling is going on, or both It looks like wehave access to 22/TCP and 53/UDP
To complete this machine, let’s try to figure out the version numbers
of the software we can reach Here’s one way to do it for SSH (port 22):[root@ns1 /root]# telnet 66.38.151.2 22
Most SSH daemons will volunteer what type and version they are(they have to at least advise the client which protocol version theyspeak) In this case, it appears to be OpenSSH 2.3.0p1 Port 53 is DNS
If the remote DNS server is BIND, you can often get it to tell you whatversion it is with the following command:
[root@ns1 /root]# nslookup -q=txt -class=CHAOS version.bind 66.38.151.2
*** Can't find server name for address 66.38.151.2: No response from server
Trang 16*** Default servers are not available
In this case, we didn’t get an answer, so this is no help Here’s what itlooks like when it works correctly:
[root@ns1 /root]# nslookup -q=txt -class=CHAOS version.bind
207.126.127.66 Server: www1.securityfocus.com Address: 207.126.127.66
VERSION.BIND text = "8.2.3-REL"
In this case, it looks like it’s BIND 8.2.3-REL (release) In general,this method of trying to determine what software is running by seeing
what kinds of information it will volunteer is called banner scanning.
Banner scanning is somewhat equivalent to connecting to a given portand seeing what kind of output you get.This works fine for TCP, butUDP is a bit harder Many UDP services are organized around the con-
cept of a datagram, a single packet (though possibly fragmented) in a
par-ticular format So although one can use a simple tool like a Telnet client
to connect to many TCP services and get back some output, this oftendoes not work with UDP (Specifically, a Telnet client doesn’t work withUDP at all, but the concept could be done with something like netcat
in UDP mode.The point is, most UDP services won’t volunteer outputimmediately.) For UDP, you have to issue the right kind of request andsee what kind of output, if any, you get However, if you’re trying tofigure out what the service is, you won’t know what kind of request tosend—it’s an obstacle of a chicken-and-egg nature, so you’ll usually have
to make some intelligent guesses or correlate other information
So, in this case we can’t easily determine which DNS software isbeing run (if, in fact, that’s what is listening there).We might guess it’snot BIND, because it doesn’t respond to the query that works on mostBIND servers (If you’re curious, in this case it’s tinydns from the djbdnspackage.) If it were really important to your test, you could probablydevelop some profiles of how various DNS servers answer queries andcompare the response that you get from this one.This is the same idea
Trang 17that nmap uses to determine OS Or, if you happened to search throughthe djbdns mailing list archives, you might notice that I made a number
of posts asking questions about implementing djbdns in the not too tant past and make inferences from that
dis-In either case, for this machine you’re left with pretty limited mation about what might be attackable Because SSH is open, youalways have the option of trying to brute-force guess usernames andpasswords However, if the site in question has done a decent job at allwith their password policies, this should prove pretty fruitless.You couldalso try some BIND exploits If you’re not trying to be stealthy, you havenothing to lose
infor-At the time of this writing, djbdns has no known holes, nor doesthat version of OpenSSH.That leaves you with the option of moving on
to a different box (if there are any others) or searching the source ofOpenSSH and djbdns for new holes so as to write an original exploit.The developers for both OpenSSH and djbdns are pretty security con-scious, so I’d put that last on my list
Let’s take a look at a box that would be a bit easier to deal with:Starting nmap V 2.53 by fyodor@insecure.org
( www.insecure.org/nmap/ ) Interesting ports on (x.x.x.x):
(The 1512 ports scanned but not shown below are in state: closed) Port State Service
21/tcp open ftp 23/tcp open telnet 79/tcp open finger 80/tcp open http 98/tcp open linuxconf 113/tcp open auth 513/tcp open login 514/tcp open shell 1024/tcp open kdm 5680/tcp open canna
Trang 186667/tcp open irc
TCP Sequence Prediction: Class=random positive increments
Difficulty=3267068 (Good luck!) Remote operating system guess: Linux 2.1.122 - 2.2.14
Nmap run completed — 1 IP address (1 host up) scanned in 20 seconds
I’ve hidden the address in this case to protect the victim Not myvictim, mind you—this is a box that set off my IDS by scanning me forport 111 (portmapper) It seems strange that some random Linux boxwould be running an IRC server (or so nmap says, 6667/tcp.) However,the banner presented when Telnetting to that port is this:
SSH-1.5-1.2.27It’s an SSH server Any number of rootkits for Linux will install anSSH or telnetd equivalent on some high port number and leave it for anattacker to get back in with later.This Linux machine has almost cer-tainly been broken into, which is why it was scanning me It’s probablyscanning most of the Internet Let’s take a look at some of the otherbanners on the open ports
21/tcp
220 looks FTP server (Version wu-2.6.0(1) Fri Jun 23 09:17:44 EDT 2000) ready.
23/tcp Red Hat Linux release 6.2 (Zoot) Kernel 2.2.14-5.0 on an i686 login:
79/tcp
Trang 19No one logged on.
80/tcp (HTTP servers don't send data automatically; I typed "HEAD / HTTP/1.0[cr][cr]")
HTTP/1.1 302 Found Date: Tue, 20 Feb 2001 03:34:24 GMT Server: Apache/1.3.12 (Unix) ApacheJServ/1.1 Location: http://x.x.x.x/servlet/st?rw=
Connection: close Content-Type: text/html; charset=iso-8859-1The others simply produce an error when you press Enter or discon-nect you without any output Obviously, knowing the proper protocolwill allow you to probe those further
So, it seems apparent that we have a Red Hat 6.2 box that has beenbroken into, probably by a worm, and had a rootkit installed And it’sproceeding to look for other victims Interestingly enough, because thislooks like an otherwise totally default Red Hat 6.2 install, you’d expect
to find portmapper, lpr, and BIND running.We didn’t show a UDP scanhere, but a quick check for those particular ports shows them not lis-tening A number of known remote root vulnerabilities in stock RedHat 6.2 would be exploitable if those services were listening It lookslike after the attacker moved in, they cleaned up Some of the Red Hatworms are known to do this
But in any case, back to the issue of breaking into machines A quickcheck on the SecurityFocus.com vulnerability database shows that ver-sion of wuftpd to be vulnerable One of the attacks (the one used by theRamen worm, for example) requires a login to function, usually anony-mous is enabled It wasn’t in this case, yet more evidence that Ramenhas moved in and closed the holes behind it However, at least one otherhole in that version of wuftpd looks like it’s still viable (So is the first ifyou can guess a login, but then you could probably just Telnet to it in
Trang 20that case, though the wuftpd hole gives root directly.You can use manylocal holes after you have a shell.)
I’m not going to break into this machine, I don’t have explicit mission Port scanning is considered rude and may be against some ISPs’
per-acceptable use policy, but it’s not illegal where I’m located Actuallybreaking in would be, even though I’d just be joining the party Plus, younever know when it’s a honeypot or when law enforcement is leaving it
up waiting for the attacker to come back
Mapping Out a Web Server
Having touched briefly on some general methods for determining what
is running on a box, let’s take a more detailed look at what might beavailable via a specific service, HTTP.Web servers are particularly inter-esting, because on a full-featured site one may be able to interact withseveral full applications via HTTP.The more functionality, the moreopportunity there is for something to be wrong and for you to get in
We already touched on a tiny bit of research for Web servers MostWeb servers will volunteer several items of information about themselveswhen asked For example:
[root@ns1 /root]# telnet slashdot.org 80 Trying 64.28.67.150
Connected to slashdot.org.
Escape character is '^]'.
HEAD / HTTP/1.0
HTTP/1.1 200 OK Date: Tue, 20 Feb 2001 04:52:35 GMT Server: Apache/1.3.12 (Unix) mod_perl/1.24 Connection: close
Content-Type: text/html
Connection closed by foreign host.
Trang 21The Web server at slashdot.org has volunteered that it’s runningApache 1.3.12 on UNIX, and that it has the (optional) mod_perl loaded,version 1.24 None of this is news if you’re familiar with Slashdot, but itillustrates the point.The command used is HEAD / HTTP/1.0, followed
by two carriage returns (press Enter twice) If you’re doing this manuallywith the Telnet client, you can’t make any typos, and you can’t backspace
If you screw up, disconnect and try again
This is no more than banner scanning, though.To really dig into aWeb server, you’ll need a way to get a list of as many files on that server
as possible More specifically, you want ones that do some sort of side processing or contain sensitive information However, because youprobably won’t have a good way to get just those, you’ll probably goafter all of them, and sort them out later
server-One way to essentially grab a whole Web site is to use wget
(avail-able from your local GNU archive.) This will by no means be stealthy.Depending on the size of the Web site you’re trying to grab, it may take
an extremely long time, and it’s possible it may swamp the Web serveryou’re hitting as well, especially if it manages to step into a portion ofthe Web site that contains a lot of dynamic content But, if you’re willing
to deal with those problems, it is a rather complete way to grab whatyou need for later searching and inspection
We won’t go into great detail here on how to compromise side processes, as a big portion of the previous book in this series, “HackProofing Your Network: Internet Tradecraft” spends quite a bit of time
server-on this subject But briefly, what you will be looking for are Web
“pages” ending in extensions that indicate server processing, such as pl,.asp, shtml, php, and so on.You’ll also want to keep an eye out for
directories with names containing cgi or cgi-bin Next, use the grep
command to search through the files you’ve grabbed looking for submit
tags, links with a ? in them, or anything that indicates dynamic
pro-cessing.You’ll want to look for pages that seem to have errors or SQLcode leaked onto them, which will give you clues as to what effect yourattempts are having Keep an eye out for hidden variable tags becausethey could possibly indicate sloppy programming
Unfortunately, I can’t give you a set formula for finding these types
of problems, because they may often be site specific.You’ll need to have
Trang 22an understanding of how Web servers work, the various scripting guages, and probably SQL as well.The process is creative, so it’s more artthan science.
lan-Beyond the clue that the Web server hands you outright, you can getlinks to explore from other places One of my favorites is the Web searchengines.You can go into http://altavista.com, for example, and enter the
search phrase: +host:www.example.com +url:cgi It will give you all
of the URLs on the host www.example.com that contain “cgi.” Some of
these may not be linked from the site itself anymore, so the wget
method might not reveal them, but the search engine archives can goback for some time, and the actual file may still be there even if it isn’tlinked.This method is also particularly nice because it doesn’t directlytouch the target Web server
Finally, there may be files on the site that you can attack that arelinked from nowhere, so you’ll never know they are there exceptthrough intelligent guessing.The most common of these are the defaultfiles that come with any Web server.They often aren’t removed, and inmany cases, they have had vulnerabilities For example, all copies of IIS4.0 Web server contained a sample file called showcode.asp, whose pur-pose in life is to show the source code for an asp file rather than run-ning it, a feature any attacker would love to have.To make matters
worse, it has a bug that lets you walk around the Web server file
system with it.The Web site will likely not have a link to this file where in its pages, but it may well be there
any-The way to discover files like these is to consult vulnerabilitydatabases for the version of the Web server you’re looking at or to dupli-cate the setup in question as much as possible If there are standardsample files, when you install the same software on your machine, you’llhave the same files Finally, one other way to find these files is to use anautomated tool that has them programmed in
Using Automated Scanning Tools
We’ve been waiting until this point in the chapter to cover automatedscanning tools because they are of little use if you can’t take advantage ofthe information produced by them.The automated tools can only take
Trang 23you so far, and then you’ll have to have to skills to back up what youfind out Even if the automated tools were 100 percent accurate, themajority of them will not actually carry out a penetration, they will onlytry to determine if a site is vulnerable or not It will be up to you toactually exercise the vulnerability.
Automated scanning tools play an important part in a penetration test,though.They help ensure that you don’t forget something, or skip oversomething simple, thinking that “the target couldn’t possibly be vulnerable
to that…” As a systems or security administrator, it’s very easy to forget to
check services that you believe aren’t running or to assume that yourcoworkers won’t pick really bad passwords that are easily guessed
Automated Scanner as Time Saver
At one point in my career, I received a phone call from a person I used to work with, who had since moved onto another job She had inherited the job of security management, but didn’t feel that she knew as much about the job as she would like They were plan- ning to fire a contractor that day, and they were a little concerned that he might try to retaliate by trying to break into their site from home after he’d been escorted out I offered to check their site for them, secured the appropriate permission, and explained that I’d
be doing my scan over the Internet.
I didn’t need to be stealthy about it, so I figured I’d fire off Internet Scanner from ISS at them, just as a quick way to figure out what services were running and to possibly grab some usernames That process normally takes some time, so I swiveled my chair back
to another machine to check my e-mail About 60 seconds later, I glanced at the scanning machine, and was shocked to see that it had found an administrator password!
Sure enough, the password it had guessed (username
sup-port, and password support) was in the domain administrators
Damage & Defense…
Continued
Trang 24Automated scanning tools run the entire spectrum of features, plexity, and cost A particular tool may target one specific area, such asWeb server holes, or it may try to find as many different types of bugs aspossible Complexity may range from a very terse “service X is vulner-able to attack Y,” all the way up to multiple levels of reporting, histories,and trends Cost ranges from free to very expensive.
com-Some of the most popular scanners are Nessus, Internet Scanner byInternet Security Systems, CyberCop Scanner by Network Associates,NetRecon by Axent, HackerShield by BindView, Cisco Secure Scanner,and various descendents of Security Administrator Tool for AnalyzingNetworks (SATAN), such as Security Administrator’s Research Assistant(SARA) and System Analyst Integrated Network Tool (SAINT) If you’re
group After some quick checking, it also looked to me like I had
control of a machine all the way on the inside of their network
I immediately phoned my ex-coworker to report what I had found Every machine I had scanned had every port listening that
I would expect for a non-firewalled machine, and I could reach them from the Internet I told them they needed a firewall, badly.
They told me that they had a firewall I explained that I saw no sign
at all of a firewall, and that I was reaching everything It turned out that their network was bigger than I thought, and what was hap- pening was that they were doing NAT on their firewall They did indeed have a firewall (at least they had a box with the word fire- wall painted on the side) but what they had done was to take an
outside address and translate it to an inside address and open
every port to that box They had no DMZ whatsoever.
I was a bit stunned I told them that I hoped their contractor didn’t get too disgruntled, because they weren’t going to be fixing their problems before he left.
Eventually, they fixed their setup The point of the story is not
to discount really stupid stuff that you think people would never do
in a million years An automated scanning tool is one way to help make sure you don’t, because you can let it try the dumb stuff.
Trang 25curious about some of the differences, there’s one recent review atwww.networkcomputing.com/1201/1201f1b1.html.
(Incidentally, that review favors Nessus, which is one of the freescanners.This evaluation was based on letting each scanner loose on anumber of systems with known holes and counting how many werespotted by each scanner.) Out of the above list, Nessus, SATAN, SARA,and SAINT are free.You can get demo versions from most of the com-mercial vendors
Let’s go ahead and take a look at Nessus as an example.The scannerportion runs on UNIX, whereas the GUI can run on UNIX,Windows,
or Java (presumably meaning any OS with a full Java implementation.)The example screens shown here are from the Windows GUI
Figure 7.1 shows what Nessus looks like during the scanning cess, after you’ve installed everything, logged into your scanning server,and have chosen a range of IPs or names to scan.The portscan is done
pro-by nmap as an external process, so currently the Portscan bar shows 0done until the entire portscan is complete, then jumps to 100 percent.The Attack bar will advance with each attack, and the current attack inprogress is shown next to “Security check.”This example took a couple
of hours to complete
Figure 7.1Status Screen during Scanning
Trang 26After the scan is complete, a screen is displayed showing the IPaddresses scanned, and any vulnerabilities or warnings found (see Figure 7.2).
This Nessus interface is somewhat typical of vulnerability scanners
They often have a red/yellow/green rating system (red and orange, inthis case.) Here, 66.38.151.3 is flagged with a red ball If we select that
IP address, a short list at the right is presented I’ve clicked on the plussigns to expand a couple of the items marked as “holes.” It doesn’tappear that Nessus has figured out that this is a Real Server, but it didfind one “hole” that is Real Server–specific Of course, the IIS holedoesn’t apply at all It also turns out that the GET admin/includes holehas been patched on this server Still, it’s better to have false positivesthan false negatives.You can manually dismiss false positives, but if you’regetting a lot of false negatives, then the tool isn’t helping much.Thisparticular network is a production network, so there are no holes therethat we know of
Figure 7.2Nessus Report Screen
Trang 27The rest of the items that it flagged are innocuous.There is anexample shown in Figure 7.3.
Here Nessus has recommended that you configure your Web server
to lie about what software it is (this one already does, as you might inferfrom the fact that it’s identified as Linux.) It also reports what OS nmapdetected It also notes that the IP IDs are predictable, which is not ofgreat concern to us, though interesting to know.This is not the sameclass of problem as having predictable TCP sequence numbers Nessuscan also produce reports in other formats, such as HTML, and includesome simple graphs
Hiring a Penetration Testing Team
Should you have an internal team or an external team doing your tration test? As usual, the answer depends a great deal on your resources
pene-Figure 7.3Nessus “Orange” Warnings
Trang 28You can hire any number of individuals or teams to perform a tion test of whatever scope you like In an ideal world, you would haveboth internal and external teams performing the audit at regularlyscheduled intervals However, few of us can afford that, or even if wecan, justifying the expense is difficult.
penetra-Let’s assume for the moment that we have the resources to have asingle team perform a penetration test Should it be an internal team or
an external team? Here are some of the reasons you would want aninternal team to do the test:
■ You won’t have to share sensitive info with any external parties
■ Your employees will learn from the work done, and you willretain the expertise within your organization
■ Your employees are already on your payroll
■ Your team knows the intricacies of your site better than anyone
Here are the main reasons you’d want an external team:
■ Lack of penetration testing skillset in-house
■ Contractual obligation to have audit done by third party
■ You want an evaluation by someone else other than the teamthat implemented the security in the first place
■ Your staff doesn’t have the time
■ The process will be more formalized if you pay someone else
to do it
Some of the items will determine right away that you’ll need anexternal team, for example having a requirement that a 3rd party audityou or lacking the skillset in-house.The default choice tends to be to do
it internally, because it is often perceived as being “free.”There’s nothingwrong with doing it internally per se, but it should be taken seriouslyand formalized.This means that you should expect the same kinds ofresults you would get if you went outside
Trang 29Let’s go over what you can expect from an external audit.You shouldexpect references and resumes of the individuals that will be performingyour audit.You should expect to sign an agreement indemnifying them
of any repercussions from a successful penetration.You should expect tooutline in detail what you want done and what you do not want done.You should expect an estimate for the work asked for and an agreementthat you will be contacted for approval if extra time is needed.Youshould expect a report of findings, both what was tried and failed, aswell as what was successful
There is no reason why your internal people couldn’t conduct thesame kind of audit if they have the skillset.There is also no reason whyyou shouldn’t require the same documentation that you would get from
an external audit
Back to the question of having multiple audit teams or perhaps ferent audit teams for different scheduled audits If the teams are compa-rable in terms of skills, then having different perspectives can be helpful.You’ll have to decide at some point about network positioning forthe audit.This has to do with where the auditor will audit from Manyauditors might prefer to do their work across the Internet, allowingthem to work from home base and not spend a lot of time traveling.The only real problem with this is that there’s always a chance that somethird party will be monitoring your traffic and will learn of a new vul-nerability in your site as a result of the audit My personal opinion isthat if you have someone monitoring your traffic like that, you haveworse problems However, some folks are not so quick to dismiss thisissue For them, there are VPN-like solutions that should allow theauditor to conduct his business across the Internet without being moni-tored, at least not until the last bit of network And you can always flythe auditor out to your location and plant them at a desk in yourfacility Obviously, this may increase costs somewhat
dif-In addition to where the audit sits is the question of what locations
in your security structure he is allowed to test from.The first obviousplace is from the outside—from the equivalent of the Internet But per-haps you’d like to know what could be done from one of your DMZsegments to find out what happens when your firewall is breached.Your
Trang 30security design ideally ought to be failsafe in layers Even if the firewallwasn’t there, or was misconfigured, would you still be safe? If an attackersomehow managed to get control of a machine on your financials DMZsegment, what would that buy him in terms of getting onto othermachines? This type of testing can be done by coordinating with theauditor(s) and plugging their auditing machines into the appropriatenetwork segments for each phase of the test.This assumes that they don’tget in from the Internet side in the first place If they actually manage toget control of a machine on a DMZ segment, then the repatching issue
is irrelevant For internal auditors, they can place themselves in theappropriate spots as needed
Note that if you’re going to do both an internal and external audit,
it might be smart to do the internal audit first.The ideal is to get rid ofany easy problems first, so that you get the most for your money fromthe external auditing team If they can’t spot any easy problems right off,they will have to work a bit harder and be more thorough
Trang 31The goal in attacking your site is to assess how good your security design
is and how well it has been implemented In order to be an effectiveattacker, you need to understand what kinds of attacks can be launchedagainst you.These include Denial of Service, information leakage, fileaccess, misinformation, special file access, and elevation of privilege.Ultimately the attacker wants a higher level of privileges on your system
In order to effectively protect your site, you have to know what yourrisks are.The three components of risk are vulnerabilities, threats, andassets If you have assets to protect and vulnerabilities or threats are high,then your risk is high Assets are typically fixed, so your goal is to mini-mize vulnerabilities and threats
Measuring threats can be challenging, because you’re trying to assessthe intentions of remote attackers that you have probably never met.Your best tools for figuring out what kinds of attackers you have comingagainst you is the logs about what kinds of attacks they are trying
Typically, attacks of convenience will be targeting specific services ratherthan scanning for wide ranges or port numbers IDS systems can be ofassistance in weeding out the common attacks from the more persistentones, because some of them can spot scanning patterns.You will alsoneed to watch the various mailing lists for information about the latestworms and script kiddie tools
Assessing your level of vulnerability is a bit easier It’s a technicalproblem, requiring technical expertise.The chief way that vulnerability(other than day-to-day administration) is assessed is through a penetra-tion test A penetration test is a test to see if your site can be brokeninto.You can use either an internal or external penetration team to doyour testing In either case, you should expect a report of what work wasdone and what attacks, if any, were successful
One of the aids to penetration testers is an automated scanning tool.These can often perform tedious tests that a human might miss or mightnot have time to do Automated scanning tools come in all shapes, sizes,and prices Most are available for evaluation purposes (some are free) tohelp you decide which one is right for you
Trang 32Solutions Fast Track
Anticipating Various Types of Attacks
; An information leakage attack is an attack against tiality A classic example of an information leakage problem is
confiden-the finger service Way back when, most UNIX machines ran a service called finger.There was a matching finger client com-
mand that would provide information about a particular user on
a particular machine.This type of information does not leaddirectly to compromise, but it’s rather disheartening how often auser’s password matches their username—finger is a quick way
to collect some usernames
; A file access attack is an attack against confidentiality and
integrity.There are any number of subcategories under fileaccess, such as read access, write access, and delete permissions
Read access directly affects only confidentiality, whereas otherspermit modifications, which affect integrity For example,
UNIX- and DOS/Windows-based operating systems use to represent the parent of the current directory, so that entering cd
will take you up one directory level—some server software
fails to take this into account and will allow to be used in the
file request, allowing an attacker to step out of boundaries
; A misinformation attack is designed to confuse the defender It’s
an attack against integrity—not the integrity of the systems
themselves, but rather the defender’s information about the
sys-tems An example of a misinformation attack is an nmap scanthat will generate extra traffic aimed at your host alongside thereal packets doing the scanning
; A lot of the interesting stuff at a site lives in a database.This isespecially true for e-commerce sites One extremely commonprogramming mistake developers make when developing a Website is to improperly escape or filter user-supplied data, giving anattacker a way to send SQL commands to a database
Trang 33; An elevation of privilege attack is an attack against the integrity ofthe security structure, though it often leads directly to othercompromises If an attacker can gain further capabilities beyondwhat they were supposed to have, then a security mechanismsomewhere has been broken Such a mechanism may be brokendue to bad design, a bug, or just because the administratorimplemented the mechanism improperly.
Performing a Risk Analysis on Your Site
; Assets at risk can include money and financial information, tomer information, products, intellectual property, employees,and reputation
cus-; By carefully watching firewall and IDS logs, you will begin tounderstand the difference between someone who has tried histrick and moved on, and someone who is sticking around for alittle while.You may manage to spot an attacker that looks like
he is taking some care to stay below the radar, perhaps by doing
a slow scan
; A honeypot is a system that is designed to be broken into.Setting up a honeypot will give you an opportunity to studythe tactics of attackers.Your honeypot should be the easiestmachine to penetrate on your network One has to have somefamiliarity with forensic techniques, log analysis, and protocolanalysis to make a honeypot useful
Testing Your Own Site for Vulnerabilities
; A good change control process can help with minimizing therisks in between full scans Each time some change is made,make a best effort to determine exactly what will be affectedand recheck just those things that are affected Accurately recordand assess any changes made and report the changes to the
Trang 34people who will need to recheck Some host-based IDS systemswill catch some of the changes, but they will never be as effec-tive as accurate records from the people actually making thechanges in the first place.Think of these as incremental penetra-tion tests, similar to doing incremental backups in between fullbackups.
; Any tool or testing method could potentially result in false atives but blindly running exploits will result in a much higherfalse negative rate If you’re getting caught by attacks of conve-nience, then you need to take a hard look at your proceduresfor tracking new vulnerabilities and applying vendor patches
neg-; Types of knowledge you should take advantage of include thefollowing:Trust relationships, IP addresses on all network seg-ments, brands and versions of all your software, what type ofnetwork gear you use, and source code for all the software ifavailable (especially custom software)
; An attacker may try to use some stealth techniques to evadedetection.This may include doing certain types of stealthportscans (these are of limited use, because just about any net-work IDS will pick these up Some host-based measures likeTCP wrappers may not.) Other techniques are slow scans(doing a port scan slowly over time so as not to set off an IDSthreshold and make the red port-scan light go off), packet frag-menting (effective against a number of IDS systems), and finally,various types of misinformation attacks
; The pieces of information needed for targeting known holesand downloading an existing exploit include IP Addresses,names, open ports, OS versions, software versions, networkstructure, and firewall configuration(s)
; Banner scanning is the method of trying to determine whatsoftware is running by seeing what kinds of information it willvolunteer, somewhat equivalent to connecting to a given portand seeing what kind of output you get.This works fine forTCP, but UDP is a bit harder Although one can use a simple